Tuesday, June 16, 2015

Bombshell: FBI Investigating Cardinals Hacking Of Astros Front Office

The New York Times uncorked a doozy today when they broke the story that the FBI is investigating the St. Louis Cardinals for hacking into the Astros' network and stealing proprietary player data.

The
Astros hired Mr. Luhnow as general manager in December 2011, and he
quickly began applying his unconventional approach to running a baseball
team. In an exploration of the team’s radical transformation, Bloomberg Business called it “a project unlike anything baseball has seen before.”

Under
Mr. Luhnow, the Astros have accomplished a striking turnaround; they
are in first place in the American League West division. But in 2013,
before their revival at the major league level, their internal
deliberations about statistics and players were compromised, law
enforcement officials said.

The
intrusion did not appear to be sophisticated, the law enforcement
officials said. When Mr. Luhnow was with the Cardinals, the organization
built a computer network, called Redbird, to house all of their
baseball operations information — including scouting reports and player
personnel information. After leaving to join the Astros, and bringing
some front-office personnel with him from the Cardinals, Houston created
a similar program known as Ground Control.

Which suggests that Luhnow and others in the Houston front office didn't bother to change their passwords from their time at St. Louis. It also suggests that the Cardinals store their passwords in plaintext, which, why?

The primary law implicated by the Cardinals’ alleged hacking would appear to be the Computer Fraud and Abuse Act.
The CFAA was originally passed back in 1984 to protect both the
government and the financial industry from electronic espionage. The law
was later expanded in 1996, however, to cover any unauthorized, remote
access of another’s computer.
Under Section (a)(4) of the CFAA, anyone who “knowingly … accesses a protected computer without authorization” in order to “obtain[] anything of value” is subject to potential criminal liability for the hacking. Similarly, Section (a)(5)(B) of the law prohibits “intentionally access[ing] a protected computer without authorization,” should it result in any damage being inflicted on the computer’s owner.

The act provides for a five year sentence per instance of access, which could mean life imprisonment for ongoing spying. Also, the Electronic Espionage Act of 1996 makes the entire Cardinals organization possibly complicit in criminal activity, but only if the government can show high-level Cardinals knew or should have known about the matter.

But is that likely? As one of the commenters at a Facebook group observed, commissioner Rob Manfred has been pleased to use stolen evidence when it suited him; how hard can he really come down on the Cards? (Ignoring for the moment the consequence of criminal investigations, and assuming that there will be repercussions at the MLB commissioner's office.) One thing's for sure, there'll be a lot of billable hours among all parties.